DNS deluge for x.p.ctrc.cc

Joe Abley jabley at isc.org
Sun Feb 26 17:02:38 UTC 2006


On 25-Feb-2006, at 03:41, bmanning at vacation.karoshi.com wrote:

>> Limit UDP queries to 512 bytes.  This greatly decreases the
>> amplification affect, though it doesn't stop it.
>
> 	<limiting UDP to 512 has other, unwanted effects,
> 	 edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
> 	 is this really what is wanted?>

Expanding on this slightly, since I think this merits more discussion  
-- if there was widespread filtering of 53/udp packets to 512 bytes,  
I can see two consequences:

1. A temporary decrease in attack traffic: the malware authors will  
adapt, and the floods will continue except with smaller packets. For  
attacks launched from drones, the amplification arguably isn't as  
important to the attacker as it might be for attacks which have  
single sources.

2. In future, increased use of things like DNSSEC, dynamic updates  
and IPv6 (with attendant AAAA records) are going to make legitimate,  
EDNS0, large 53/udp packets more common, and crippling the transport  
for EDNS0 is going to cause migraines for helpdesks across the world.

As a temporary mitigation tool today, when the volume of legitimate,  
large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets  
might *sound* reasonable. However, we all know how permanent  
temporary filters can be. Crippling EDNS0 transport in the future  
seems like a very high price to pay for what might be a very  
temporary, short-term reduction in attack traffic.


Joe



More information about the NANOG mailing list